WO2000067460A1 - Method and system for fraud detection in telecommunications - Google Patents
Method and system for fraud detection in telecommunications Download PDFInfo
- Publication number
- WO2000067460A1 WO2000067460A1 PCT/GB2000/001676 GB0001676W WO0067460A1 WO 2000067460 A1 WO2000067460 A1 WO 2000067460A1 GB 0001676 W GB0001676 W GB 0001676W WO 0067460 A1 WO0067460 A1 WO 0067460A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- sub
- event data
- periods
- profile
- data packet
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/43—Billing software details
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/47—Fraud detection or prevention means
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/70—Administration or customization aspects; Counter-checking correct charges
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/70—Administration or customization aspects; Counter-checking correct charges
- H04M15/73—Validating charges
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/01—Details of billing arrangements
- H04M2215/0148—Fraud detection or prevention means
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/22—Bandwidth or usage-sensitve billing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/32—Involving wireless systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/70—Administration aspects, modify settings or limits or counter-check correct charges
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/70—Administration aspects, modify settings or limits or counter-check correct charges
- H04M2215/7072—Validate charges
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/22—Arrangements for supervision, monitoring or testing
- H04M3/2218—Call detail recording
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/22—Arrangements for supervision, monitoring or testing
- H04M3/36—Statistical metering, e.g. recording occasions when traffic exceeds capacity of trunks
Definitions
- the present invention relates to a method and apparatus for performing pattern recognition within event streams, and a system incorporating the same.
- One of the steps employed in, but not limited to use in, such fraud detection systems is pattern recognition from event streams.
- Pattern recognition for event streams can be achieved by building up profiles of the behaviour of an entity and performing pattern recognition over these profiles.
- the entity In order for an entity to be profiled in this way, the entity must be able to have events associated with it. Examples of entities are: a single subscriber in a telephone network, a user accessing a data network, a switch in a telephone network or a server in a data network.
- the events to be associated with the user must be able to be represented in an Event Data Packet (EDP).
- EDP Event Data Packet
- the profiles of entities behaviour are compared with known patterns of unacceptable behaviour to determine if the system should alert the end user to the entities behaviour pattern.
- the flow of Event Data Packets 1 10 of information through a profiling pattern recognition system is shown in Figure 1 .
- the Recent profile 130 represents the typical usage for the entity over a recent period of time, approximately the last week.
- the Historical profile 140 represents the typical use for the entity over a preceding and longer time period, for example approximately the last six weeks.
- the EDPs are all accumulated into Polls of information.
- a Poll 120 is a set of EDPs received over a particular time period (e.g. 4 hours).
- the Poll information is then used to update the values in the Recent profile, and the Recent profile is then used to update the values in the Historical profile.
- the solid arrow between the EDPs and the Poll indicates that the information in each Poll is directly created from the EDPs.
- the dotted arrow between the Poll and the Recent indicates that the Poll information is used only to update the
- the EDPs are Call Detail Records (CDRs) and the profiles represent voice telephony usage is given the profiles may consist of number of calls made and the duration of national and international calls. Table 1 shows an example of Recent and Historical profiles for such an example.
- CDRs Call Detail Records
- Recent and Historic profiles may be as shown in Table 2.
- the new recent profile is derived from the previous recent profile plus a proportion of the difference between the new and old recent profiles
- the new historic profile is derived from the previous historic profile plus a proportion of the difference between the new and old historic profiles, but the proportions typically differ from that of the recent profile case in that a higher proportion of the old historic profile is taken.
- the Recent and Historic profiles are built up from a series of Poll profiles. In order for the Recent and Historic profiles to maintain their integrity all Poll profiles must cover the same amount of time, for example a 4 hour period.
- the period of time the Polls must all cover must not be too small, otherwise natural variations in behaviour will appear to be anomalous.
- a typical recommended minimum is two hours.
- the profiles generated only represent the active periods for the user, this means that a user who is active in only one two hour period a week could have a similar profile to a user who is active in twenty of the two hour periods in a week.
- the known patterns have to be represented in the same time period that the systems polls over. This can increase training times for the account fraud detection system which analyses the Poll, Recent profile, and Historical profile information in order to identify anomalies.
- the invention seeks to provide an improved method and apparatus for behavioural pattern recognition for event streams in general and for event streams in an account fraud detection systems in particular.
- a method of profiling a flow of event data packets comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a profile of recent behaviour for each of said sub- periods; allocating each Event Data Packet to one of said sub-periods according to a time indication associated with said Event Data Packet.
- the method may also comprise the steps of: creating a profile of historical behaviour for each of said sub-periods; at the end of said Base Time Period updating each of said Historical profiles responsive to the previous value of said Historical profile and a corresponding Recent profile, and resetting each said Recent profile.
- the method may also comprise the steps of: calculating an Event density for at least one of said Recent profiles.
- the said step of calculating an Event density comprises the steps of: identifying a current time; identifying a Recent profile within which said current time falls; dividing a number of events recorded in said Recent profile by a time duration determined by a difference between said current time and a start time of sub-period associated with said Recent profile.
- Said Event Data may correspond to time intervals of differing length.
- the method may be used to capture a representation of inactivity within said flow.
- the method may also be used to permit trend analysis for an initial sub- period during said sub-period.
- a method of performing anomaly detection on a stream of Event Data Packets comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; allocating each Event Data Packet to a sub- period according a time indication in said Event Data Packet.
- a method of account fraud detection comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; receiving a series of Event Data Packets relating to account use; allocating each Event
- Event Data Packet to a sub-period according a time indication in said Event Data Packet.
- account use relates to telecommunications network use.
- Event Data Packets are call detail records.
- a method of network intrusion detection comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; receiving a series of Event Data Packets relating to account use; allocating each said Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
- Event Data Packets relate to network audit log data.
- Event Data Packets relate to IP packet data.
- a system for profiling a flow of event data packets comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create and store a Recent profile for each of said sub-periods; allocating each Event Data Packet to one of said sub-periods according to a time indication associated with said Event Data Packet.
- the system may be arranged to receive a plurality of flows and to perform processing on each flow independently of each other.
- a system for performing anomaly detection on a stream of Event Data Packets comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create a profile of recent behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
- a system for account fraud detection comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create a profile of recent behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
- a system for network intrusion detection comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create a profile of recent behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
- the invention also provides for a system for the purposes profiling a flow of event data packets which comprises one or more instances of apparatus embodying the present invention, together with other additional apparatus.
- a machine readable medium arranged for profiling a flow of event data packets by: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; allocating each Event Data Packet to one of said sub- periods according to a time indication associated with said Event Data Packet.
- Figure 1 shows a block diagram of information flow in a behavioural pattern recognition system in accordance with the prior art
- Figure 2 shows a block diagram of information flow in a behavioural pattern recognition system in accordance with the present invention.
- the method proposed here is illustrated in Figure 2.
- the EDPs 210 (in this example taking the form of Call Detail Records (CDRs)) again feed into a Poll 220 of information and the Poll information is used to update the values in the Recent profiles 230a-f
- each entity has associated with it multiple Recent Profiles (six are shown but more or fewer may be used), where each Recent profile represents a period of time within a week (though a larger or shorter base period could be used), for example Saturday and Sunday between midnight and 8am.
- the Recent Profiles together cover the whole of a week period.
- Each Recent Profile has a related Historic Profile 240a-f which covers the same time period.
- Recent Profiles are filled until they contain all the data for the time period they cover. Once filled the values are used to update the corresponding Historic profile, and then the Recent profile values are reset to zero, and filled with the next CDRs in the time covered by the profile.
- a customer of voice telephony may have the Recent profiles of behaviour illustrated in Table 3 and corresponding Historic profiles illustrated in Table 4.
- CDRs Event Data
- the CDR at 7am is added to Recent Profile 1.
- This profile is 'complete' the historic profile is updated.
- the next time period is entered its recent profile values are reset to zero and new values accumulated.
- the only Recent profiles changed are those that cover the same time period as the CDRs in the poll namely periods 1 and 2.
- the only Historic profile changed is in period 1 , the values in the Recent profile having been used to update the Historic profile. After updating the Historic profile, the Recent profile is then reset to zero before new CDR information is added to it.
- Event densities for historic profiles provide an average of behaviour over the whole time period. This means that dividing by the number of seconds in the time period gives the normal amount of behaviour in any one second. These are generally small values.
- Recent profiles however may or may not contain values for the whole the time period they cover. Freq ⁇ ently the Recent profile that is being analysed is not yet complete. For example, if ten minutes of event data require analysing for the time period 9.15am to 9.25am then a recent profile that covers the time period 8am to 6pm will be updated, but the time period for this profile is not yet complete. As the period is incomplete the number of seconds to divide by is calculated as follows. The complete time period is divided into blocks of time, for example 30 minutes. A usage period consists of x of these blocks of time. The event data in the current incomplete Recent profile is divided by the number of seconds in the blocks covered so far. So event data covering up to 9.25 am has covered three 30 minute blocks so far and the values are divided by 5400 seconds (90 minutes). Conversion into densities enables pattern recognition to be performed over event data that covers just a portion of the total time period. This method has the advantages that:
- the polls of event data can be of any size whilst still allowing the profiles produced by the system to maintain their integrity;
- the profiles represent accurately the behaviour of the user, including a representative of inactivity by the user, and a representation of the time of use.
- This method may be used in several application areas. These include telephony fraud detection using call detail records (CDRs), anomaly detection on data streams, network intrusion detection using audit log data or IP packet data.
- CDRs call detail records
- the method also provides a means of comparison between recent behaviour and past behaviour for event streams that has potentially wide application for the rapid detection of behavioural changes.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IL14631400A IL146314A0 (en) | 1999-05-04 | 2000-04-28 | Method and system for fraud detection in telecommunications |
AU45884/00A AU4588400A (en) | 1999-05-04 | 2000-04-28 | Method and system for fraud detection in telecommunications |
CA002373017A CA2373017A1 (en) | 1999-05-04 | 2000-04-28 | Method and system for fraud detection in telecommunications |
EP00927481A EP1179260A1 (en) | 1999-05-04 | 2000-04-28 | Method and system for fraud detection in telecommunications |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB9910268.3 | 1999-05-04 | ||
GBGB9910268.3A GB9910268D0 (en) | 1999-05-04 | 1999-05-04 | Behavourial pattern recognition for event streams |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2000067460A1 true WO2000067460A1 (en) | 2000-11-09 |
Family
ID=10852761
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/GB2000/001676 WO2000067460A1 (en) | 1999-05-04 | 2000-04-28 | Method and system for fraud detection in telecommunications |
Country Status (6)
Country | Link |
---|---|
EP (1) | EP1179260A1 (en) |
AU (1) | AU4588400A (en) |
CA (1) | CA2373017A1 (en) |
GB (1) | GB9910268D0 (en) |
IL (1) | IL146314A0 (en) |
WO (1) | WO2000067460A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1497748A1 (en) * | 2002-03-28 | 2005-01-19 | Neural Technologies Ltd. | Configurable profiling of data |
US7142651B2 (en) | 2001-11-29 | 2006-11-28 | Ectel Ltd. | Fraud detection in a distributed telecommunications networks |
US11062315B2 (en) | 2018-04-25 | 2021-07-13 | At&T Intellectual Property I, L.P. | Fraud as a service |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5375244A (en) * | 1992-05-29 | 1994-12-20 | At&T Corp. | System and method for granting access to a resource |
WO1996031043A1 (en) * | 1995-03-30 | 1996-10-03 | British Telecommunications Public Limited Company | Detecting possible fraudulent communications usage |
WO1997003533A1 (en) * | 1995-07-13 | 1997-01-30 | Northern Telecom Limited | Detecting mobile telephone misuse |
WO1999005844A1 (en) * | 1997-07-22 | 1999-02-04 | British Telecommunications Public Limited Company | Fraud monitoring system |
-
1999
- 1999-05-04 GB GBGB9910268.3A patent/GB9910268D0/en not_active Ceased
-
2000
- 2000-04-28 AU AU45884/00A patent/AU4588400A/en not_active Abandoned
- 2000-04-28 EP EP00927481A patent/EP1179260A1/en not_active Withdrawn
- 2000-04-28 CA CA002373017A patent/CA2373017A1/en not_active Abandoned
- 2000-04-28 WO PCT/GB2000/001676 patent/WO2000067460A1/en active Application Filing
- 2000-04-28 IL IL14631400A patent/IL146314A0/en unknown
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5375244A (en) * | 1992-05-29 | 1994-12-20 | At&T Corp. | System and method for granting access to a resource |
WO1996031043A1 (en) * | 1995-03-30 | 1996-10-03 | British Telecommunications Public Limited Company | Detecting possible fraudulent communications usage |
WO1997003533A1 (en) * | 1995-07-13 | 1997-01-30 | Northern Telecom Limited | Detecting mobile telephone misuse |
WO1999005844A1 (en) * | 1997-07-22 | 1999-02-04 | British Telecommunications Public Limited Company | Fraud monitoring system |
Non-Patent Citations (2)
Title |
---|
BARSON P ET AL: "The detection of fraud in mobile phone networks", INTERNATIONAL NEURAL NETWORK SOCIETY ANNUAL MEETING. PROCEEDINGS OF WORLD CONGRESS ON NEURAL NETWORKS,XX,XX, vol. 6, no. 4, 16 April 1996 (1996-04-16), pages 477 - 484, XP002085421 * |
BURGE P ET AL: "Fraud detection and management in mobile telecommunications networks", EUROPEAN CONFERENCE ON SECURITY AND DETECTION, 28 April 1997 (1997-04-28), XP002085420 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7142651B2 (en) | 2001-11-29 | 2006-11-28 | Ectel Ltd. | Fraud detection in a distributed telecommunications networks |
EP1497748A1 (en) * | 2002-03-28 | 2005-01-19 | Neural Technologies Ltd. | Configurable profiling of data |
EP1497748A4 (en) * | 2002-03-28 | 2006-09-06 | Neural Technologies Ltd | Configurable profiling of data |
US7471780B2 (en) | 2002-03-28 | 2008-12-30 | Cerebrus Solutions Limited | Configurable profiling of data |
US11062315B2 (en) | 2018-04-25 | 2021-07-13 | At&T Intellectual Property I, L.P. | Fraud as a service |
US11531989B2 (en) | 2018-04-25 | 2022-12-20 | At&T Intellectual Property I, L.P. | Fraud as a service |
Also Published As
Publication number | Publication date |
---|---|
GB9910268D0 (en) | 1999-06-30 |
EP1179260A1 (en) | 2002-02-13 |
CA2373017A1 (en) | 2000-11-09 |
AU4588400A (en) | 2000-11-17 |
IL146314A0 (en) | 2002-07-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7406161B2 (en) | System and method for real-time fraud detection within a telecommunication network | |
US5805686A (en) | Telephone fraud detection system | |
US7457401B2 (en) | Self-learning real-time prioritization of fraud control actions | |
US6597775B2 (en) | Self-learning real-time prioritization of telecommunication fraud control actions | |
US6601014B1 (en) | Dynamic deviation | |
CN110677269B (en) | Method and device for determining communication user relationship and computer readable storage medium | |
WO2000067460A1 (en) | Method and system for fraud detection in telecommunications | |
US7631355B2 (en) | System and method for identifying extreme behavior in elements of a network | |
US8494128B2 (en) | Performance monitoring in a telephone network | |
CN107086978A (en) | A kind of method and device for recognizing trojan horse | |
US7471780B2 (en) | Configurable profiling of data | |
CN114338916B (en) | Theft-fighting alarm method and system | |
CN106982452B (en) | Method and device for determining call quality | |
CN114866645A (en) | Method and device for processing customer service incoming call and electronic equipment | |
CN103188651A (en) | Information correlation method and device | |
KR20050026191A (en) | Telecommunication system using single-rate charging service, and single-rate charging apparatus and method therefor | |
WO2003090081A1 (en) | A hierarchical system for analysing data streams |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
ENP | Entry into the national phase |
Ref document number: 2373017 Country of ref document: CA Ref country code: CA Ref document number: 2373017 Kind code of ref document: A Format of ref document f/p: F |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2000927481 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2000927481 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
NENP | Non-entry into the national phase |
Ref country code: JP |